An enhanced iteration of Kazuar, a relatively obscure but “highly functional” backdoor Trojan, has boosted its capabilities to be more challenging to detect, and can now operate covertly while thwarting analysis and malware protection tools. Kazuar, based on Microsoft’s .NET framework, has been associated with advanced persistent threat (APT) espionage campaigns in recent years.
That’s according to Palo Alto Networks’ Unit 42 threat intelligence researchers this week, who warned that the Russian-backed APT that it calls Pensive Ursa has already used the new version of Kazuar to target Ukraine’s defense sector. Pensive Ursa (aka Turla Group, Snake, Uroburos, and Venomous Bear), has been linked with the Russian Federal Security Service (FSB) and has a trail dating back to 2004.
In the most recent Ukrainian attacks, confirmed by an advisory issued by the Ukrainian CERT in July, the attackers reportedly were seeking sensitive assets, including messages, source control, and cloud platform data, according to the Unit 42 analysis.
“The recent campaign that the Ukrainian CERT reported unveiled the multi-staged delivery mechanism of Kazuar, together with other tools such as the new Capibar first-stage backdoor,” threat researchers Daniel Frank and Tom Fakternan explained in the report from Unit 42, which was among the earliest to discover Kazuar, in 2017. “Our technical analysis of this recent variant — seen in the wild after years of hiatus — showed significant improvements to its code structure and functionality.”
Kazuar’s Expanded Capabilities
Since discovering Kazuar’s use by Turla in 2017 and again in 2020, threat researchers have only identified it in a handful of scenarios during the past six years, primarily against the military and European government entities. As noted in its May 2017 advisory, Unit 42 researchers described Kazuar as a multiplatform espionage backdoor Trojan with API access to an embedded Web server.
The .NET-based Kazuar has a sophisticated set of commands that allows attackers to remotely load plugins that give the Trojan expanded capabilities. Unit 42 researchers have also discovered evidence of a Mac or Unix variant of the tool.
Kazuar utilizes a command-and-control channel (C2) that gives attackers access to systems and lets them exfiltrate data, according to the researchers. It can use multiple protocols, including HTTP, HTTPS, FTP, or FTPS.
Some Overlap With Sunburst
In January 2021, Kaspersky reported that it found some features in Kazuar that overlap with Sunburst, the backdoor discovered a month earlier by FireEye (now Google’s Mandiant) used in the broad SolarWinds supply chain attack. Similarly, Sunburst is a backdoor Trojan that can communicate with other Web servers using standard HTTP links by operating as a digitally signed component of SolarWinds’ widely used Orion IT management offering.
“A number of unusual, shared features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm, and the extensive usage of the FNV-1a hash,” Kaspersky researchers explained. “Both Kazuar and Sunburst have implemented a delay between connections to a C2 server, likely designed to make the network activity less obvious.”
Matthieu Faou, a senior malware researcher at ESET, agrees with Unit 42’s findings. ESET observed a similar Kazuar malware sample deployed at a Ministry of Foreign Affairs of a South American country in December 2021.
“Kazuar is very typical of complex implants that Turla used a lot in the past (such as Carbon, ComRAT and Gazer),” Faou says. “It uses compromised WordPress websites as C2 servers, which is also very typical for the group.”